KB5013944 Cumulative Update for Windows Server 2022 – May 10, 2022

KB5013944 is the latest cumulative update for Windows Server 2022. It has been released by Microsoft on 10th May, 2022. KB5013944 fixes security vulnerabilities and brings in performance improvements on Windows Server 2022. We will look at the key aspects of KB5013944.

You may read more about the KB5014678 cumulative update for Windows Server 2022 for the month of June 2022. It was released on 14th June 2022.

Salient points about KB5013944 for Windows Server 2022

  • KB5013944 is the latest cumulative update for Windows Server 2022.
  • KB5013944 supersedes April month’s cumulative update for Windows Server 2022, KB5012604.
  • Windows Server 2022 is impacted by a Zero-day vulnerability, CVE-2022-26925. This is CVSS 8.1 vulnerability. Details are shared below.
  • Windows Server 2022 is also impacted by a critical vulnerability that affects Active Directory Domain Services. It is a CVSS 8.8 vulnerability that has serious repercussions for the server.
  • Servicing Stack Update KB5005039 needs to be installed prior to installing KB5013944 on Windows Server 2022.
  • KB5013944 update file has a size of 235 MB.
  • KB5013944 also contains the changes that are part of the optional or preview update KB5012637.
  • KB5015013 is the emergency Out-of-Band update for Windows Server 2022. It was released on May 22 by Microsoft. You can read more about it below.

KB5012604 is the cumulative update for Windows Server 2022 for April 2022. You can read more about KB5012604 here.

KB5015013 Out of Band Update for Windows Server 2022

KB5015013 is an emergency out-of-band update for Windows Server 2022. It was released on May 19, 2022. KB5015013 seeks to resolve authentication issues on the domain controllers that have been patched with KB5013944. Here is a brief issue summary shared by Microsoft:

Addresses a known issue that might cause authentication failures for some services on a server or client after you install the May 10, 2022 update on domain controllers. These services include Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). The issue affects how the domain controller manages the mapping of certificates to machine accounts. This issue only affects servers that are used as domain controllers; it does not affect client Windows devices.

The main points about KB5015013 are given below for your ready reference:

  • KB5015013 is a cumulative update. It supersedes KB5013944 for Windows Server 2022.
  • If you did not deploy KB5013944 on Windows Server 2022, you can straightaway deploy the KB5015013 update on Windows Server 2022.
  • If you have already deployed KB5013944, you must patch the Windows Server 2022 with KB5015013 to resolve authentication issues on domain controllers. In this case, only the changes that are incremental to KB5013944 will be deployed through KB5015013.
  • Since this is an out-of-band update, it is not available through normal channels of Windows Update. So, Windows Update, WSUS, and Microsoft Update for Business cannot be used to patch Windows Server 2022 with KB5015013.
  • You can deploy KB5015013 manually through the Microsoft Update Catalog. You can download the MSU update file for KB5015013 from the Microsoft Update Catalog page here.
  • The size of the MSU update file is 235.6 MB.

KB5013944 – Zero-day vulnerability on Windows Server 2022

Windows Server 2022 is affected by a Zero-day vulnerability, CVE-2022-26925. It is a CVSS 8.1 vulnerability. But the problem is that it can be combined with the PetitPotam vulnerability to launch NTLM Relay attacks. The combined severity of NTLM Relay and the LSA spoofing vulnerability is 9.8, leading to a critical impact on the infrastructure comprising Windows Server 2022.

  • An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows them.
  • NTLM relay attacks on the domain controllers could be used in conjunction with CVE-2022-26925. You must take mitigation steps mentioned in the security update KB5005413 to enable Extended Protection for Authentication on the domain controllers, including the domain controllers based on Windows Server 2022. The NTLM relay attacks are part of the PetiiPotam vulnerability on the Windows servers and domain controllers.
  • Since this is a man-in-the-middle (MITM) attack, the attack complexity is complex and it is rated as AC: H.

Given the nature of this vulnerability, domain controllers must be patched on a priority basis.

There have been 75 vulnerabilities that have been announced as part of May month’s security updates. Of these, CVE-2022-26925 and CVE-2022-26923 need to be given a lot of attention.

CVE-2022-26923 – Active Directory Domain Services – Elevation of Privileges

CVE-2022-26923 is a serious vulnerability that could lead to the elevation of privileges on Windows Server 2022. This is a CVSS 8.8 vulnerability that could have a critical impact on the associated infrastructure. There have been no known exploitation attempts that have been tracked for CVE-2022-26923. However, this may change soon. CVE-2022-26923 has no resolution as of now. As an administrator, you can take mitigating steps.

An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege. The only mitigating recommendation, for now, is to turn off the Active Directory Certificate Services on the domain.

We need to keep a tab on CVE-2022-26923 in the near future. Hopefully, Microsoft can work out a resolution for this.

Prerequisites for KB5013944 on Windows Server 2022

Cumulative Update KB5005039 needs to be deployed on Windows Server 2022 prior to installing the KB5013944 cumulative update. KB5005039 was released in August 2021. If you have updated Windows Server 2022 with a cumulative update after August, you would have already been offered the changes that were part of the KB5005039. You could check on the server’s update history to check if KB5005039 has been installed on Windows Server 2022.

You can deploy KB5005039 manually.

How can I install KB5013944 on Windows Server 2022?

KB5013944 is available through all channels of the Windows Update process.

  • KB5013944 can be applied automatically using the Windows Update program.
  • Microsoft Update for Business can be used to deploy KB5013944 on Windows Server 2022.
  • WSUS or the Windows Server Update Service can be used to install KB5013944 on Windows Server 2022.
  • You can deploy KB5013944 manually. The patch or MSU update file can be downloaded from the Microsoft Update catalog page. The MSU update file should correspond to Windows Server 21H2 version.
  • The MSU update file has a size of 235 MB.

.NET Framework Updates for Windows Server 2022

January updates broke the Active Directory Forest Trust information settings on Windows Server 2022. The issue happened on account of the underlying .NET Framework on the servers. Microsoft has released .NET updates that can be applied to resolve the issue.

  • .NET Framework 4.8 on Windows Server 2022 can be updated with the KB5011258 update.
  • The update file for KB5011258 can be downloaded from the Microsoft Update Catalog page here. The update file is available for x64 and ARM64 architectures. The size of the KB5011258 update file is 355 KB.

Summary

KB5013944 is a cumulative update that supersedes KB5012604. The important point about this month’s update is the CVE-2022-26925 and the CVE-2022-26923 vulnerabilities. You will need to deploy August month’s cumulative update prior to installing KB5013944 on Windows Server 2022.

You can read more about the Windows Updates for May 2022 below: